How the most massive botnet scam ever made millions for Estonian hackers

A botnet trojan disguised as a video codec infected over 4 million computers …

More details have emerged about how the seven alleged Estonian and Russian hackers indicted by the US Wednesday managed to hijack over 4 million computers worldwide—many of them at government agencies and large companies—and rake in over $14 million from legitimate businesses. The scheme, which dates back to 2007, made use of a common botnet trojan to divert Web traffic from its intended destination to that of advertisers who paid for traffic delivery—thinking that it was being provided through paid links.

The malware at the center of the scam, called "Operation Ghost Click" by the FBI, is the DNSChanger botnet. It is a trojan that, once installed on a system, redirects its Domain Name Service requests to a server and effectively takes control of all of the outbound Internet traffic from the infected system. The trojan also seeks other systems on the local network that use the Dynamic Host Configuration Protocol (DHCP) and attempts to change their DNS settings, thereby taking control of computers on the LAN that haven't been infected.

The botnet and DNS servers were controlled by Rove Digital—an Estonian company that has made millions off botnets—and its hosting subsidiary Esthost. Trend Micro senior threat researcher Feike Hacquebord wrote in a blog post that his company had known the identity of the company controlling the DNS Changer botnet since 2006, but had held off on publishing the information to allow law enforcement to take action.

Rove Digital had also been operating a fake antivirus scam "affiliate program" called Nellicash, through which it sold information stolen from victims of FAKEAV downloads. And the company even operated its own domain registrar, Estdomains—until it was taken down in 2008 when it lost ICANN accreditation after Rove Digital CEO Vladimir Tsastsin was convicted of credit card fraud in Estonia.

DNSChanger has been a known threat for years; its installer is disguised as a codec required for watching website video content, and has been spread widely through pornographic websites. "Victims’ computers became infected with the Malware when they visited certain websites or downloaded certain software to view videos online," the FBI stated in its release on the case. The DNSChanger botnet can affect both PCs and Apple computers. (An explanation of just how a porn-site trojan ended up on hundreds of NASA and other government computers was not part of the government's statement on the case.)

Wednesday, Estonian police arrested Tsastsin and five others at Rove Digital, and authorities in the US disabled the command-and-control network, including rogue DNS servers in New York and Chicago. Because the DNS servers are still providing name resolution for millions of infected computers, the FBI commissioned Internet Systems Consortium to replace them with legitimate DNS servers so that users' Internet access would not be interrupted.

The easiest way to tell if your system has been infected by DNSChanger is to check the IP address for the DNS server in your computer's network settings. The FBI has provided a Web tool for users to check if their DNS server is one of the rogue servers, and provided a list of their IP addresses:

I would imagine if you are using a router at home and have the DNS set manually (say, to Google's public DNS servers) you would be OK on this right? Even if the botnet changed the DNS on your machine, the traffic still has to go through the router.

I would imagine if you are using a router at home and have the DNS set manually (say, to Google's public DNS servers) you would be OK on this right? Even if the botnet changed the DNS on your machine, the traffic still has to go through the router.

But it doesn't have to use the router's DHCP settings. If it's specifically going to some outside server for name resolution, your router will most likely just let it go there.

Trend Micro senior threat researcher Feike Hacquebord wrote in a blog post that his company had known the identity of the company controlling the DNS Changer botnet since 2006, but had held off on publishing the information to allow law enforcement to take action.

Wait, Trend knew about this in 2006 and it took law enforcement FIVE YEARS to put a case together?

You must also bust out the flamethrower instead of the flyswatter when you see a spider on the wall.

Only when my wife isn't looking. :)

An additional benefit to this arrangement is that my mistyped URLs never redirect to pages full of ads when I enter an incorrect address. It took about 20 minutes to set up, and my firewall makes sure that only clients on my home network can see the server. What's not to like about it?

Trend Micro senior threat researcher Feike Hacquebord wrote in a blog post that his company had known the identity of the company controlling the DNS Changer botnet since 2006, but had held off on publishing the information to allow law enforcement to take action.

Wait, Trend knew about this in 2006 and it took law enforcement FIVE YEARS to put a case together?

Not particularly surprising or unreasonable. I would imagine you have to be good at covering your tracks to run an operation of this size. It probably takes a good deal of patient digital sleuthing and boots on the ground work to make an ironclad case against the top figures in the scheme.

Trend Micro senior threat researcher Feike Hacquebord wrote in a blog post that his company had known the identity of the company controlling the DNS Changer botnet since 2006, but had held off on publishing the information to allow law enforcement to take action.

Wait, Trend knew about this in 2006 and it took law enforcement FIVE YEARS to put a case together?

Not particularly surprising or unreasonable. I would imagine you have to be good at covering your tracks to run an operation of this size. It probably takes a good deal of patient digital sleuthing and boots on the ground work to make an ironclad case against the top figures in the scheme.

Plus they didn't pirate movies, they were only stealing little people's money.

Er. Running your own DNS server wouldn't help you if you were infected with the trojan. It changes the DNS setting on the client computer, causing it to bypass your local DNS server.

Similarly, setting the DNS server in your router won't help. When you do that, your router hands out its own address to the DHCP clients. The trojan would replace that info with a compromised DNS server.

You could protect yourself by preventing all outbound DNS traffic at your router/firewall (UDP/TCP ports 53) but this wouldn't stop you from getting infected by the trojan, it would just make all your internet services fail miserably when you did get infected.

Pretty clever... simple, effective and apparently relatively safe. If they hadn't kept it going for so long, I wonder if they would've been caught. Maybe they should've settled for $10 million.

When telling less computer literate friends/family why they need to care about computer security and browsing habbits, they often ask for examples of these million-computer botnets and how they make money for the controllers (I think they're convinced I'm full of shit). This is a very good and easy to understand example :-)

So.... I would have to have d/l'd something to my Mac, have proactively given it my Mac's pass, actively installed it, and you are saying that not only would it have infected my Mac, it would have figured out the password to my Time Capsule router and changed the DNS IP on that?

I'm assuming this requires you to run an executable program. I never understood the need to do that even if you are watching the pr0nz. If it doesn't just play in a browser window or in VLC as a standard format, you're doing it wrong. No need to install anything else to just watch a stupid video (even if they do have nice gazungas).

I'm assuming this requires you to run an executable program. I never understood the need to do that even if you are watching the pr0nz. If it doesn't just play in a browser window or in VLC as a standard format, you're doing it wrong. No need to install anything else to just watch a stupid video (even if they do have nice gazungas).

Hmm...I feel as though someone must have established a best practices guide for optimum pr0nz viewing...

I'm in favour of flamethrowers and guns to kill flys and spiders. I also run my own DNS server and redirectl all tcp/udp 53 traffic to my own DNS resolver. This is much more effective since no matter what the DNS setting is on the client, the traffic will still hit my DNS server.

So.... I would have to have d/l'd something to my Mac, have proactively given it my Mac's pass, actively installed it, and you are saying that not only would it have infected my Mac, it would have figured out the password to my Time Capsule router and changed the DNS IP on that?

Wow, what a smart Trojan.

Nope, you're not getting it. That DNS setting on your timecapsule is only useful if your client is set to ask the timecapsule to do lookups. If you installed the trojan, it would no longer ask your timecapsule for DNS information, it would go directly to the internet at large

You're right about the other stuff, though. Any mac trojan that's going to change your DNS settings is going to need an admin password entered. The real talent is in socially engineering you to think that you were doing it for something legitimate.

I'm in favour of flamethrowers and guns to kill flys and spiders. I also run my own DNS server and redirectl all tcp/udp 53 traffic to my own DNS resolver. This is much more effective since no matter what the DNS setting is on the client, the traffic will still hit my DNS server.

So what are you using to do this? None of the commercial inexpensive routers I've worked with have this option. Running your own gateway?

I'm in favour of flamethrowers and guns to kill flys and spiders. I also run my own DNS server and redirectl all tcp/udp 53 traffic to my own DNS resolver. This is much more effective since no matter what the DNS setting is on the client, the traffic will still hit my DNS server.

So what are you using to do this? None of the commercial inexpensive routers I've worked with have this option. Running your own gateway?

I'm in favour of flamethrowers and guns to kill flys and spiders. I also run my own DNS server and redirectl all tcp/udp 53 traffic to my own DNS resolver. This is much more effective since no matter what the DNS setting is on the client, the traffic will still hit my DNS server.

So what are you using to do this? None of the commercial inexpensive routers I've worked with have this option. Running your own gateway?

I'm running OpenBSD/PF to do this. I got a cheap used Dell GX280 with 3GB of ram and a 160Gig hard drive for $200. It does all my dns, email, www hosting, and IPv6 tunneling to HE.NET. Works great. Look ma - no dlink or netgear.

Maybe I'm missing something, but how did they make money by redirecting traffic?

Did they redirect directly to paid landing pages? From what I've read, I assumed they were spoofing clicks, but DNS redirection implies more?

The DNS redirection is part of the scam. While the FBI hasn't given the full details, I suspect there was also some HTML injection going on via the trojan that added referral data to make it look like the clicks were coming from an affiliate site or something.

I'm in favour of flamethrowers and guns to kill flys and spiders. I also run my own DNS server and redirectl all tcp/udp 53 traffic to my own DNS resolver. This is much more effective since no matter what the DNS setting is on the client, the traffic will still hit my DNS server.

So what are you using to do this? None of the commercial inexpensive routers I've worked with have this option. Running your own gateway?